Top 12 PHP Security Tips For Linux Admins

Posted on - Last Modified on

Developers love using PHP as a major server side scripting programing language. PHP has such a huge market share dominance that other programming languages are left with a minute space to compete. The recent release of PHP gives current developers more zeal to develop competent programs that outlive them. Though there are changes already out, there is skepticism from some developers about the future of PHP, and they cite security as the main reason. PHP has strong security, but developers are supposed to implement the security features. This article intends to highlight some security tips Linux administrators can use in their work. These tips help developers ensure their web application is secure, and functioning properly. Before going through the tips, it is necessary to understand we have used Fedora as an operating system, but the tips can work well with Ubuntu or any other form of Linux distribution. The tips will assist you to secure your website from different kinds of usual attacks, that include Cross-Site Scripting (XSS), File uploads, sea-surf attacksSQL injection, and eval ().

  1. Avoid unnecessary modules

Developers of PHP have made it with inherent PHP modules. Users can apply the modules in several tasks, though not all projects require them. If you need to see the ready PHP modules, type the command # PHP – m. When you access the list, delete all the modules you do not require. Fewer modules enables you to enhance the security and performance of your web application.

  1. Do not allow leakage of PHP information

Leakage of information from various platforms is a norm. For instance, PHP allows the flow of information that includes various versions. This happens through the help of expose_php directive. If you need the leakage to stop, ensure the directive is off in security.ini. If a user wants to know the state and version, they can run the Curl command in the specific web address, and this information will come up.

  1. Restrict the execution of remote code

One of the usual security errors in PHP is the execution of remote code. Your system comes with a remote code execution that is ready for action. Various functions that include URL-aware, require, and open wrappers among others, can access PHP files through the permission of allow_url_fopen directive. Experts in PHP execution have determined that remote access can make the system exposed in the presence of code injection susceptibilities. If you want to secure your system from attacks of execution of remote, set the allow_url_fopen to ‘off.’

  1. Errors in Log PHP

You can secure your app through ensuring there is no visitor who gets access to any error in your web. This ensures there is no hacker who can jeopardize your web’s security. You can do this through editing in the /php.d/security.ini file. You could be wondering how a developer can debug a code without having a display of errors. PHP has not restricted developers to only one method of debugging. They can debug any code using log_errors directive. They only need to ensure that the log_errors is ‘on’ in security.ini.

  1. Use resources properly

You need to use resources prudently if you want a secure web application. To ensure security and proper execution, ensure you have limited PHP execution for all scripts. You may also move a step further by limiting the time your web application takes to analyze request data. Once you have managed to control execution time, you should ensure you have configured other resources in your application, such as memory usage. You can manage these metrics and more through editing your security.ini.

  1. Deactivate lethal PHP functions

Developers of PHP made sure it has many functions, for the purpose of developing many apps. However, it has numerous apps that hackers can use to ensure your web application does not work. If you disable such functions, you will increase the total security of your web application. The hazardous PHP functions will not affect your application. You can do this by editing php.ini. Once you have done that, look for the disable_functions command and set all dangerous functions.

  1. Disable upload files function

If you have developed a web application where you do not need to upload any files, you can disable the functionality, and this will ensure your application is secure. To do this, you should set file_uploads command to ‘off’ by accessing /php.d/directory in the security.ini file.

  1. Ensure your web application is up to date

Developers are working ‘round the clock to ensure they cover the technology you use in your application. This is the same for PHP. Since there is an open community that surrounds it, developers are constantly releasing bug fixes and patches. The updates help in providing security vulnerabilities and security fixes for use from the first day. If you need to have a secure application, ensure your PHP solution is always up to date. Moreover, keep all other related technology to the current patch, and this will ensure high security for your website.

  1. Control the access of file system

Developers have made PHP in such a manner that it can access various files using certain functions that include fopen(). The main enabler of accessing files is the open_basedir command. Newbies should set the command in /var/ directory since setting it to another directory can ruin the security of your app. If you are a new to Linux, and you feel there is need for more practice, has numerous projects related to Linux system administration. Browse them and choose any that you can work on to help yourself grow your knowledge base.

  1. Take care of the size of POST

HTTP POST function utilizes the browser of the client to relay any data to the primary web server. Any user can save a private document and send to the web browser for purposes of processing. Everything will work well, but it is not until a hacker decides to clog the system with a large file. This can make the system respond slowly, and if the user does not take any measures the system may collapse. If you limit the POST size, you will have secured your server.

  1. Use SSH to access remote computers

If you want computers to communicate securely, ensure they do so through secure socket shell (SSH). This is critical, especially if you want to gain remote access through the web. SSH helps you to ensure you are connecting to the correct computer. It allows you to authenticate your details before you gain access. For instance, if you try to access a remote computer using Telnet protocol, you can compromise the security of your Linux server because you have not encrypted it properly. SSH uses port 22 TCP by default, but you can choose a port of higher number and hence increase security. Moreover, you can limit the number of users who access your web if you open the main SSH configuration file.

  1. Use HTTPS if possible

You may not manage to protect your app if you are communicating in a network through the internet. If you have a web server such as Apache, it will not be hard for you to set up HTTPS since Apache supports encryption of secure sockets layer. Some users believe HTTPS is only for e-commerce, but this is not true. Ensure you log in to your web application through an encrypted and secure connection.

You have finally managed to secure your PHP server, and it can now display dynamic website pages. However, you could make it vulnerable if you do not follow the basic rules of programming. Security is a major concern for Linux administrators and web developers.

The tips above can help you secure your site, but if you have additional tips share them in the comment section below!

Posted 16 August, 2017


Software Developer

Lucy is the Development & Programming Correspondent for She is currently based in Sydney.

Next Article

Top Tips For Java